Today, we are announcing support for two modern CloudTrail features. Support for log file encryption using Server Side Encryption - Key Management Service (KMS)
You can add an additional layer of security for the CloudTrail log files stored in your S3 bucket by encrypting them with your KMS key. CloudTrail will encrypt the log files using the KMS key you specify. Log File Integrity Validation
You can validate the integrity of the CloudTrail log files stored in your S3 bucket and detect whether they were deleted or modified after CloudTrail delivered them to your S3 bucket. You can use the log file integrity (LFI) validation as a fraction of your IT security and auditing processes.
Source: amazon.com